I've found what I believe is a security bug in the comments
controller. Here is the offending action:
def show
@comment = Comment.find(params[:id])
render :text => @comment.inspect
end
The problem is that we are rendering the entire comment object to any
logged in user. This gives anyone access to a few fields that we
should keep private. In particular, I'm worried about the
author_email and author_ip fields.
Here is a patch where I removed the comment show action entirely:
http://github.com/jtgeibel/communityengine/commit/d5699273f3c6ad5d18c3d924f1d8e0626ce1d419
Alternatively, you could check if the current user is an admin before
rendering.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"CommunityEngine" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/communityengine?hl=en
-~----------~----~----~----~------~----~------~--~---
